From 564631637bcd238b4c9aad5496aa9e049f948dd9 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 23 Nov 2020 14:25:24 +0000 Subject: Fix more bugs; disable renegociation in bearssl client --- src/sbearssl/sbearssl_client_init_and_run.c | 1 + src/sbearssl/sbearssl_ta_readdir.c | 28 ++++++++++++---------- src/stls/stls_client_init_and_handshake.c | 36 ++++++++++++++--------------- src/stls/stls_server_init_and_handshake.c | 23 ++++++++---------- 4 files changed, 44 insertions(+), 44 deletions(-) (limited to 'src') diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c index a6e7aca..73fac70 100644 --- a/src/sbearssl/sbearssl_client_init_and_run.c +++ b/src/sbearssl/sbearssl_client_init_and_run.c @@ -59,6 +59,7 @@ void sbearssl_client_init_and_run (int *fds, tain_t const *tto, uint32_t preopti sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, storage.s) ; genalloc_free(sbearssl_ta, &tas) ; br_ssl_client_init_full(&cc, &xc, btas, talen) ; + br_ssl_engine_add_flags(&cc.eng, BR_OPT_NO_RENEGOTIATION) ; random_string((char *)buf, 32) ; random_finish() ; br_ssl_engine_inject_entropy(&cc.eng, buf, 32) ; diff --git a/src/sbearssl/sbearssl_ta_readdir.c b/src/sbearssl/sbearssl_ta_readdir.c index 4093bcf..f340503 100644 --- a/src/sbearssl/sbearssl_ta_readdir.c +++ b/src/sbearssl/sbearssl_ta_readdir.c @@ -1,11 +1,15 @@ /* ISC license. */ +#include #include #include + +#include #include #include #include #include + #include int sbearssl_ta_readdir (char const *dirfn, genalloc *taga, stralloc *tasa) @@ -18,26 +22,26 @@ int sbearssl_ta_readdir (char const *dirfn, genalloc *taga, stralloc *tasa) stralloc certsa = STRALLOC_ZERO ; genalloc certga = GENALLOC_ZERO ; DIR *dir = opendir(dirfn) ; + char fn[dirfnlen + 12] ; if (!dir) return -1 ; + memcpy(fn, dirfn, dirfnlen) ; + fn[dirfnlen] = '/' ; for (;;) { direntry *d ; + uint32_t dummy ; errno = 0 ; d = readdir(dir) ; if (!d) break ; - if (d->d_name[0] == '.') continue ; - { - size_t dlen = strlen(d->d_name) ; - char fn[dirfnlen + dlen + 2] ; - memcpy(fn, dirfn, dirfnlen) ; - fn[dirfnlen] = '/' ; - memcpy(fn + dirfnlen + 1, d->d_name, dlen) ; - fn[dirfnlen + 1 + dlen] = 0 ; - genalloc_setlen(sbearssl_cert, &certga, 0) ; - certsa.len = 0 ; - if (sbearssl_cert_readfile(fn, &certga, &certsa)) continue ; - } + + /* only process files with valid hash names */ + if (uint32_xscan(d->d_name, &dummy) != 8 || d->d_name[8] != '.' || d->d_name[9] != '0' || d->d_name[10]) continue ; + + memcpy(fn + dirfnlen + 1, d->d_name, 11) ; + genalloc_setlen(sbearssl_cert, &certga, 0) ; + certsa.len = 0 ; + if (sbearssl_cert_readfile(fn, &certga, &certsa)) continue ; sbearssl_ta_certs(taga, tasa, genalloc_s(sbearssl_cert, &certga), genalloc_len(sbearssl_cert, &certga), certsa.s) ; } if (errno) goto fail ; diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c index 173942f..f0cc5be 100644 --- a/src/stls/stls_client_init_and_handshake.c +++ b/src/stls/stls_client_init_and_handshake.c @@ -22,6 +22,21 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, cfg = tls_config_new() ; if (!cfg) strerr_diefu1sys(111, "tls_config_new") ; + if (preoptions & 1) + { + x = getenv("CERTFILE") ; + if (!x) strerr_dienotset(100, "CERTFILE") ; + if (tls_config_set_cert_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_cert_file") ; + + x = getenv("KEYFILE") ; + if (!x) strerr_dienotset(100, "KEYFILE") ; + if (tls_config_set_key_file(cfg, x) < 0) + diecfg(cfg, "tls_config_set_key_file") ; + } + + stls_drop() ; + x = getenv("CADIR") ; if (x) { @@ -36,24 +51,9 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, if (tls_config_set_ca_file(cfg, x) < 0) diecfg(cfg, "tls_config_set_ca_file") ; } - else strerr_dief1x(100, "no trust anchor found - please set CADIR or CAFILE") ; + else strerr_diefu1x(100, "get trust anchor list: neither CADIR nor CAFILE is set") ; } - if (preoptions & 1) - { - x = getenv("CERTFILE") ; - if (!x) strerr_dienotset(100, "CERTFILE") ; - if (tls_config_set_cert_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_cert_file") ; - - x = getenv("KEYFILE") ; - if (!x) strerr_dienotset(100, "KEYFILE") ; - if (tls_config_set_key_file(cfg, x) < 0) - diecfg(cfg, "tls_config_set_key_file") ; - } - - stls_drop() ; - if (tls_config_set_ciphers(cfg, "secure") < 0) diecfg(cfg, "tls_config_set_ciphers") ; @@ -75,8 +75,6 @@ struct tls *stls_client_init_and_handshake (int const *fds, uint32_t preoptions, if (tls_connect_fds(ctx, fds[0], fds[1], servername) < 0) diectx(97, ctx, "tls_connect_fds") ; tls_config_free(cfg) ; - strerr_warn1x("before handshake") ; - if (tls_handshake(ctx) < 0) diectx(97, ctx, "perform SSL handshake") ; - strerr_warn1x("after handshake") ; + if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ; return ctx ; } diff --git a/src/stls/stls_server_init_and_handshake.c b/src/stls/stls_server_init_and_handshake.c index 5dd5284..e6869be 100644 --- a/src/stls/stls_server_init_and_handshake.c +++ b/src/stls/stls_server_init_and_handshake.c @@ -14,8 +14,8 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions) { - struct tls *cctx ; - struct tls *ctx ; + struct tls *ctx = 0 ; + struct tls *sctx ; struct tls_config *cfg ; char const *x ; @@ -70,16 +70,13 @@ struct tls *stls_server_init_and_handshake (int const *fds, uint32_t preoptions) tls_config_set_protocols(cfg, TLS_PROTOCOLS_DEFAULT) ; tls_config_prefer_ciphers_server(cfg) ; - ctx = tls_server() ; - if (!ctx) strerr_diefu1sys(111, "tls_server") ; - if (tls_configure(ctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; + sctx = tls_server() ; + if (!sctx) strerr_diefu1sys(111, "tls_server") ; + if (tls_configure(sctx, cfg) < 0) diectx(97, ctx, "tls_configure") ; tls_config_free(cfg) ; - if (tls_accept_fds(ctx, &cctx, fds[0], fds[1]) < 0) - diectx(97, ctx, "tls_accept_fds") ; - tls_free(ctx) ; - strerr_warni1x("before handshake") ; - if (tls_handshake(cctx) < 0) - diectx(97, cctx, "perform SSL handshake") ; - strerr_warni1x("after handshake") ; - return cctx ; + if (tls_accept_fds(sctx, &ctx, fds[0], fds[1]) < 0) + diectx(97, sctx, "tls_accept_fds") ; + tls_free(sctx) ; + if (tls_handshake(ctx) < 0) diectx(97, ctx, "tls_handshake") ; + return ctx ; } -- cgit v1.2.3